@RISK Online - The Security Blog

Web Hosting by Netfirms | Free Domain Names by Netfirms

[Previous entry: "Online Bank Security: Cover Your Assets!"] [Main Index] [Next entry: "Code Red: As Bad As It Gets?"]

11/22/2000: "Viruses, Trojans, and CIA"

Back in 1990, the Jerusalem virus became the most prevalent virus in history. Some estimates show that over three years Jerusalem caused over $50 million in damage. Earlier this year, the Love Bug swept around the world in five hours and left up to $6 billion in damage.


Trojan horse programs used to be simple programs that would masquerade as some type of new utility program available to be downloaded, but would then destroy your precious information. Today trojans are not just destructive, but manipulative. They provide back doors into your systems, remote administrative capabilities, and covert tunnels through your firewalls. Just ask Microsoft executives how damaging or embarrassing this sort of program can be.

These threats are well known. They receive a high degree of publicity every time there's a new "outbreak" or rash of attacks. This publicity isn't just available through technology portals any more, either. Mainstream media sources now carry these news items as well.

This is also the age of INFOSEC, or Information Security. Security startups are as common in the Internet community as 7-11's are in your average residential neighborhood. So, with all this attention, why are we still so vulnerable? One would think the availability of information and resources would help us to be more secure, but that's obviously not the case. Where is the problem? Are crackers, script kiddies and virus/trojan programmers such geniuses that the average Fortune 500 company simply doesn't have the resources to protect themselves properly? I don't think so!

The problem appears to be "awareness". I'm not talking about awareness of threats… as discussed above, the public awareness of threats is probably at an all-time high. I'm talking about the awareness of "security" vs. "Security" (note capitalization). Many security startups are selling "security" solutions. They'll happily come to your site and install a firewall for you. They'll gladly perform a "penetration test" of your network. But that is only "security"… not "Security". They are tools focused, with no comprehension of the big Security picture. As Bruce Schneier likes to say, "Security is a process, not a product". Simply put, a firewall doesn't make you safe, and a penetration test doesn't give you a true evaluation of your risk or exposure.

Any security solution is incomplete unless it begins with a complete Risk Assessment. Contrary to what you will hear from some people, this is NOT a Penetration Test! A Risk Assessment is a methodology designed to completely evaluate the current state of a companies Security Posture and Awareness.

Once an assessment has been completed, there will be an understanding of existing risks. These risks are evaluated, then procedures are implemented to ensuring that information cannot be compromised or improperly accessed, modified or deleted. Throughout this process, the focus is on information CIA, or Confidentiality, Integrity, and Availability. Let's take a look at each aspect of CIA.

• Confidentiality concerns the prevention of unauthorized disclosure of information.
• Information Integrity must be protected to ensure there are no unauthorized changes, and that it is reliable and accurate.
• Information Availability means that it must be available when required. Accurate, confidential information that cannot be accessed in a timely manner has reduced value!

It's important to understand this aspect of security because a company that tells you a firewall makes you safe is not addressing all these aspects. They are, therefore, giving you a false sense of security. A firewall, by itself, is a partial measure to mitigate the risk to the Integrity of your information, but it does nothing to address risks of Confidentiality or Availability. Similarly, encryption is the best method to ensure information Confidentiality and some degree of Integrity, but does not address Availability. Availability can be improved through multiple data paths, access controls, proper back-up procedures and so on. Getting the idea? Great!

Virus protection software will help defend against known virus and trojan threats, but it is not a complete solution by itself either. There is no "silver bullet" for security. I feel that virus protection is critical for information security because it offers some degree of protection against all three aspects of CIA. It's obvious that viruses can affect the Integrity and Availability of your information, but trojans can directly impact Confidentiality as well.

I hope this has given everyone grounds to rethink their current security posture. Consider contacting a security-consulting firm for a Risk Assessment. But if their response is "No problem, we'll just put up a firewall", find someone else!

Navigation:

My Blogroll:

Security Advisories:

Defacements Archive:

Security News:

Security Tools: